Web Programming Section where Web programming languages are shared


Working logic of antiviruses & crypters | .NET crypter.

Shezzar - ait Kullanıcı Resmi (Avatar)
Üyelik tarihi:
Teşekkür (Etti):
Teşekkür (Aldı):
(0) %
08-10-2020 00:40
Howdy, I am @Mapzilla

Today, I will teach you the logic of working antiviruses and crypters with my suggestions that may be false and true. Then I will make a .NET based crypter application.

I will use MalwareBytes for the example antivirus. It is not exactly antivirus but anti malware. It's a simple thing.

I'll use QuasarRAT for example malware, most of us know this. C# is a backdoor program coded in .NET.
+ Managing files and folders.
+ Taking downloads, uploads and files.
+ Managing the task manager.
+ Running command prompt commands.
+ Taking screenshot of desktop and webcam images
+ Managing the registry book

So malware has features like that. The malware takes over the Reverse Shell structure, the server becomes the hacker's computer; the client becomes the victim's computer. The hacker does port listening, the victim connects to the hacker with the specified IP and port.

I am creating a sample malware with QuasarRAT right now. The IP will be, this will be for the local computer. I will try it on my own computer. Btw malware and PUP protection of malwarebytes, my malware scanner and prevention program is turned on.

I saved my malware as "Backdoor.exe" on my desktop.

When I scan it with MalwareBytes;

When I run this;

It showed us the static and dynamic analysis of the application named Backdoor.exe as malware.

Static Analysis

Static analysis tries to match the code of the applications and the source code of malicious applications in their databases. If the matching is correct, the application is described as a virus.

In order to circumvent the virus program, we need to encrypt the byte codes of the application and when the crypter application runs, our malware that will decode the byte codes and appear in any directory. As a method in crypt generally, encryption methods such as BASE64 encoding technique, RC4, XOR, AES are used.

Let's code a sample scan-time crypter ...

We open a project in any IDE. Then I will encode the STUB, which will be compiled and which will decrypt the virus. I will code an application to integrate the bytes and compile the STUB project, so it's Binder.
STUB project;

Here the function named AESDecryption returns the byte codes of the encrypted malware by the specified key and IV. The unction extracts the specified decoded byte codes to the specified directory. Our directory is stored in a string file named "backdoorPath". So = "C: \ Users\Azad\AppData\Roaming\Backdoor.exe" will be extracted and the backdoor.exe will start.

In these codes, [KEY], [IV] and [BYTES] points are the important points to be considered. These are neither variable nor an input. We will save the codes of this project in a text d0cument and save it in resources in the binder project. Then we will replace the points [KEY], [IV] and [BYTES] and compile them with codedom.

I opened a new project and placed the uncompiled source code in the resources section.

Let's move on to the code section now.

(There was an error in the 36th line in the photo, there won't be a problem like this. This is a problem caused by me.)

Then we arrange the source code that we add to the resources using these values ​​with the replace function. And finally, we compile our STUB with the compile function.

The result;

And the STUB called Chrome.exe appeared.

We have to obfuscation this executable now, I will use smartassembly for obfuscation. This method blurs the codes and makes them difficult to read.

Now I will use virustotal for scanning results.

Note: If you have a purpose to use it, never scan to sites that send reports such as VirusTotal and turn off the report sending feature of antiviruses.

Pure Backdoor.exe

Backdoor.exe with Crypt.

As you can see, there has been a huge drop in detection rates but still this file will be detected when those 50 antiviruses are running. The crypter we do is scan-time.

Dynamic Analysis

The reason for this method is that the source code of viruses is encrypted and obfuscated in different ways. Thus, antiviruses cannot detect malware in database matches. That's why dynamic analysis is used in antiviruses. Dynamic analysis analyzes files, procces manager, network procession and many more.

There are also sandbox versions of these, testing the operations in any sandbox (like VirtualBox).

Let's code an example run-time crypter.

We open a project in any IDE. First I will encode the STUB that will be compiled and decoding the encrypted codes of the virus. Then I will code an application that will integrate the desired bytes into the STUB project and compile the STUB project, so Binder.

STUB Project;

As you can see instead of extracting it to the directory, we created a small process in memory in the run function and run the bytes resolved with AESDecryption there.

The first parameter of the MethodBase.Invoke asks where to start the code, we left null because we wanted main. The second parameter is the parameters of the main function, it can be edited optionally.

Note: This function is created for files working with .NET, if you want to crypt the executable file encoded with another based language, you may need to use the WIN32 APIs.

Bkz :

Now, we save those codes in a text d0cument and paste them into the resources section in the project we will open for Binder.

Let's move on to the code section now.

The result;

And the STUB called Chrome.exe appeared.

Let's try for run-time now.

As you can see MalwareBytes received a connection to the QuasarRAT server, so to the hacker (me) without any intervention.

How to circumvent the Sandbox

Some antivirus and anti-malware tests executable files in sandboxes and writes them to a log file, according to this log file the antivirus detects malware. Most sandboxes have runtimes, turn off after a certain amount of time, and show the log. In the past, when we set our operating system to sleep on the virtual machine, the virtual machine would see the application harmless. As a method of overcoming this again; We continuously open 2 spaces in the memory, fill in the 1st area and then transfer this 1st area to the 2nd area. So the sandbox detects the application as harmless and says "This is doing a lot, absolutely harmless".

A code for the example:

Now let's try it as an example;

The example that does not run harmless code first, runs the malicious code directly:

Example that runs the harmless code first and then runs the malicious code:

There are a lot of sandbox circumvention methods like this one.

That's all for this topic. Antiviruses and anti-malware can still detect these methods, but if they come up with different methods, they won't work either. I would suggest coding the type of file to be crypter instead of crypter so it's both hard to catch. It is also easy to crypter if crypter is used.

International Forum Board Moderator - Feel free to PM me anything about forum!
Konu Provido tarafından (28-11-2020 12:57 Saat 12:57 ) değiştirilmiştir.
- Teşekkür etti.


« Önceki Konu | Sonraki Konu »